Blockchain-Based Data Access Control and Key Agreement System in IoT Environment

Recently, with the increasing application of the Internet of Things (IoT), various IoT environments such as smart factories, smart homes, and smart grids are being generated. In the IoT environment, a lot of data are generated in real time, and the generated IoT data can be used as source data for various services such as artificial intelligence, remote medical care, and finance, and can also be used for purposes such as electricity bill generation. Therefore, data access control is required to grant access rights to various data users in the IoT environment who need such IoT data. In addition, IoT data contain sensitive information such as personal information, so privacy protection is also essential. Ciphertext-policy attribute-based encryption (CP-ABE) technology has been utilized to address these requirements. Furthermore, system structures applying blockchains with CP-ABE are being studied to prevent bottlenecks and single failures of cloud servers, as well as to support data auditing. However, these systems do not stipulate authentication and key agreement to ensure the security of the data transmission process and data outsourcing. Accordingly, we propose a data access control and key agreement scheme using CP-ABE to ensure data security in a blockchain-based system. In addition, we propose a system that can provide data nonrepudiation, data accountability, and data verification functions by utilizing blockchains. Both formal and informal security verifications are performed to demonstrate the security of the proposed system. We also compare the security, functional aspects, and computational and communication costs of previous systems. Furthermore, we perform cryptographic calculations to analyze the system in practical terms. As a result, our proposed protocol is safer against attacks such as guessing attacks and tracing attacks than other protocols, and can provide mutual authentication and key agreement functions. In addition, the proposed protocol is more efficient than other protocols, so it can be applied to practical IoT environments.


Introduction
As IoT devices are deployed in various environments such as houses, farms, factories, and grids, the development and spread of smart cities such as smart homes, smart factories, and smart grids continues. As the amount of data generated and collected by IoT devices increases exponentially, it is predicted that the total amount of data generated annually by 2024 will reach 149 ZB [1]. IoT data are used as source data for services related to finance, medical care, artificial intelligence, and electricity bills.
Data access control technology that can provide IoT data to data users (e.g., managers of smart grids and financial institutions) in an appropriate service environment is required to utilize IoT data as source data for various services. To efficiently utilize IoT data and provide them to data users, the gateway collects IoT data, outsources them to a cloud server, and manages the data through the cloud [2,3]. However, the generated IoT data contain sensitive information such as user personal information, so privacy cannot be guaranteed if the data are indiscriminately viewed by institutions using the data. Moreover, data outsourcing also creates security and privacy concerns because it separates data ownership and data management [4]. Therefore, access control for the data users is necessary to protect personal information and provide only data that meet the attributes of the data user that will use the data. To this end, data access control technology using attribute-based encryption (ABE) [5] has recently attracted attention as a promising technology.
In the case of ciphertext-policy ABE (CP-ABE) [6], each original datum is encrypted in relation to the access control structure set in advance by the encryptor. Data users can only decrypt the ciphertext if the set of attributes he or she uses satisfies the ciphertext access structure. IoT data producers need to be able to provide their data only to organizations that want them through the gateway to ensure privacy. Therefore, since the access structure for IoT data must be determined, using CP-ABE is suitable for the IoT environment.
Additionally, if the cloud server manages the computation and communication of most systems, including outsourced data and access control, it is vulnerable to a single point of failure and data management due to centralization issues [7]. In order to solve this problem, research on the decentralization of cloud servers using blockchains has recently been conducted [8,9]. On the other hand, since IoT data are transmitted and received through open channels, malicious attackers can steal the data to perform attacks such as invasions of privacy, data exfiltration, and data abuse. Therefore, to solve these problems, it is necessary to study the application of ABE and blockchain for data privacy provision and access control. In addition, in order to securely store and provide data, gateways, cloud servers, and data users need to verify that they are valid entities through key agreement. Therefore, in this paper, we suggest a security system that provides authentication while providing access control. We analyze the trends and problems of systems for secure access control and management of data generated in the IoT environment, and present the direction of blockchain-based access control and key agreement to solve these problems.
The main motivations and contributions of this study based on the problems and challenges mentioned above are as follows: • Unlike existing IoT data access control systems using blockchains, the proposed system guarantees data protection through mutual authentication and key agreement. The detailed method is as follows: The proposed system provides mutual authentication based on bilinear pairing and secure key agreement based on the DBDH assumption. In addition, it provides secure data outsourcing and data access control based on CP-ABE by using the session key generated through key agreement. • The gateway and the cloud server generate a session key through key agreement and mutual authentication, and the gateway can safely outsource data through the session key. Gateways can also prove data validation through self-signing when uploading data. Data users can request data to the cloud server and verify the received data through the gateway's signature. Thus, the system can provide data accountability. • Since the proposed system utilizes a public permissioned blockchain, only data users, gateways, and cloud servers registered with the TA (trusted authority) can use the blockchain as a participant. By auditing the blockchain through data users, nonrepudiation of data can be avoided. • Detailed formal security validation utilizing the widely accepted "AVISPA Software Verification Tool" [10], "indistinguishability game against selective chosen plaintext attack (IND-CPA)", and "informal (nonmathematical) security analysis" shows that the suggested system guarantees safety against multiple potential attacks on smart city environments utilizing IoT.
• Testbed experiments with cryptographic primitives in a laptop environment were performed using the popular "Multiprecision Integer and Rational Arithmetic Cryptographic Library (MIRACL)" [11].
The remainder of this paper is organized as follows: Section 2 reviews papers on data access control using CP-ABE and blockchain in IoT environments. Section 3 outlines the proposed system model, blockchain, access structure, bilinear pairing, DBDH assumption, and adversary model. Section 4 describes our proposed data access control system. Section 5 describes the results of formal security validation using AVISPA and IND-CPA, and Section 6 describes the results of informal security analysis. We analyze the efficiency and security features of the protocol in Section 7. Finally, Section 8 concludes the paper.

Related Works
Numerous studies on data access control using CP-ABE have been proposed; its application to the IoT environment has also been proposed. In 2007, Ling and Newport [12] proposed a CP-ABE method that can be applied to both positive and negative attributes using an AND gate access structure. They proposed a structure that has been proven to be secure with plaintext selected under the decisional bilinear Diffie-Hellman (DBDH) assumption. Lewko and Waters [13] suggested a CP-ABE method based on multiauthority, and argued that their system does not require collaboration between rapid institutions. However, in the initialization phase, all agencies must set key parameters, so their structure is impractical for large-scale systems.
In order to efficiently store and manage data, systems in which data are outsourced to a cloud server and controlled have been also proposed [14][15][16][17][18]. Yeh et al. [14] proposed a system that can collect patient information from IoT devices and use it for smart healthcare. For data integrity in their system, data are pre-encrypted before uploading to cloud servers, giving patients access control to data. Miao et al. [15] proposed a CP-ABE-based data access control and keyword search system structure in a cloud-enabled mobile crowdsourcing environment. Liu et al. [16] proposed an e-healthcare record system that uploads and shares health data collected from wearable IoT devices to a cloud server and protects the personal information of patients based on CP-ABE. Ding et al. [17] proposed a structure that can ensure data security in IoT systems by using a pairing-free-based CP-ABE in IoT systems. Lu et al. [18] proposed a secure data sharing system in cloud computing that ensures data privacy protection in resource-constrained mobile terminals. However, since these studies are data access control systems based on cloud servers, a centralization problem may occur, which may cause a single-point-of-failure problem.
Therefore, CP-ABE systems have been proposed for access control of IoT data based on blockchains to solve this centralization problem [19][20][21][22][23][24]. In 2018, Zhang et al. [19] proposed a user-controlled data sharing system with privacy protection using fine-grained access control based on a blockchain and CP-ABE. In 2019, Ding et al. [20] also proposed an ABE access control system for IoT. Blockchain technology was used to record the distribution of properties to prevent single-point errors and data tampering. They demonstrated that authentication can ensure strict access control, but there is no algorithm or protocol for this in their system. Guo et al. [21] suggested a multiauthority blockchain-based ABE protocol for telemedicine systems. Unfortunately, Son et al. [25] figured out that Guo et al.'s protocol [21] is not suitable for real-world environments as patients must maintain their own attribute keys. Yang et al. [22] proposed an EHR sharing system utilizing cloud computing based on ABE and blockchains. In 2021, Wei et al. [23] designed an ABE algorithm for multiauthority scenarios with resource-constrained IoT devices in mind, thereby shifting data management to a blockchain instead of a central server. Qin et al. [24] also proposed a blockchain-based CP-ABE system using cloud computing with consideration to the resource limitations of IoT devices. However, the authentication they proposed [19][20][21][22][23][24] is authentication for data, not mutual authentication between entities participating in communication. For secure communication, the session key must be calculated by performing mutual authentication and key agreement.
Blockchain-based CP-ABE access control systems have been proposed in various smart environments using IoT devices. However, most studies do not provide mutual authentication, key agreement, data access control, validation and accountability at the same time. Therefore, we propose a structure that guarantees a secure data outsourcing process through mutual authentication and key agreement and provides data access control using CP-ABE technology. In addition, our proposed structure proposes an access control system that provides functions of data nonrepudiation, data accountability, and data validation based on a blockchain.

System Models and Preliminary Work
We present the proposed system model for IoT data access control considering data users in the different IoT environments. We describe blockchain characteristics, ABE, and the adversary model used in our system. Table 1 is an explanation of abbreviations and symbols used in this paper. Table 1. Notations (author's own processing).

Notations & Abbreviations Meanings
IoT Internet of Things ABE Attribute-based encryption CP-ABE Ciphertext-policy ABE DBDH Decisional bilinear Diffie-Hellman DU i , DU ID i , DUPW i ith data user and his/her identity and password, respectively GW j , GID i jth gateway and its identity, respectively CS, ID cs Cloud server and its identity, respectively HDU ID i , PGID j , PID cs The hidden identity of data user, gateway, and cloud server, respectively TA Trusted authority R cs , r i , r j , k TA The secret key of CS, DU i , GW j , and TA, respectively PK cs , PK i , PK j , PK TA The public key of CS, DU i , GW j , and TA, respectively ATTRI i The attribute of DU i attr i The attribute private key of DU i T , τ Access tree and root of tree SK The session key established among GW j and CS K The data decryption key h 1 , h 2 Hash function and map-to-point hash function || Data concatenation operator ⊕ Bitwise exclusive-or operator

System Model
Our proposed data access control system model is described in Figure 1. The proposed system model consists of the following four entities: • Cloud Server (CS): A set of CSs forms a "CS network", where a distributed ledger is maintained for block additions. CSs are honest but curious entities. Moreover, the CS receives the IoT data and provides the data to the data user when the user's attribute value matches. In addition, the CS uploads data such as data attributes, signature values, and public keys to the blockchain to solve the centralization problem. • Gateway (GW): Gateways are distributed in various smart environments that make up the smart city. The gateway collects IoT data from each environment and uploads them to a cloud server with attribute-based encryption appropriate for each attribute. • Data User (DU): Data user refers to a person who charges fees using IoT data or provides services such as artificial intelligence, finance, and medical care using IoT data. The data user requests an attribute key from the TA. After that, the TA can request data matching the attribute from the cloud server, and can obtain the original data by decrypting the received data through the attribute key.
• Trusted Authority (TA): All data users, gateways, and cloud servers must register with a fully trusted TA. • Blockchain: In the proposed system model, the blockchain is composed of a public permissioned blockchain. To solve the problem of centralization of CSs, the blockchain stores the storage address of data stored in the CS, the public key of each component, hash, data access tree, etc., on behalf of the CS. The "practical Byzantine fault tolerance (PBFT) consensus algorithm" [26] has been applied for adding blocks to existing blockchains, verifying blocks, and voting-based consensus algorithms. Data users audit the blockchain ledger. All blockchain members can read the ledger, but only data users and cloud servers can upload transitions to the blockchain. When the DU requests information from the CS, the CS checks whether the access tree of the requested information and the attributes of the DU match through the blockchain. If the attributes match the access tree, the CS passes the encrypted data to the DU. In the setup phase, TA generates and publishes parameters necessary for the system and tree. During the registration phase, DUs, GWs, and CS are registered with TA through closed channels. Through the attribute key generation phase, DU can ask TA for a key that matches his attribute, and use the acquired attribute key to decrypt the encrypted data. In the authentication phase, GW and CS perform authentication and key agreement for data upload. In the data upload phase, GW uploads data to the cloud server through the agreed session key. Simultaneously, GW uploads the signature as a verification value to verify its own data and the upload time to the blockchain. In addition, CS uploads the attribute tree value of the data and the record address value where the data are stored to the blockchain. In the data request and provide phase, DU requests data from CS, and CS verifies the DU's request message, checks the attribute value of DU through the blockchain, and transmits the corresponding data to DU. DU downloads the verification value from the blockchain for the transmitted data, verifies that they are valid data, and can decrypt the data with its own attribute key.

Blockchain
A blockchain is a distributed data storage system that can solve the single-point-offailure problem that can occur by being concentrated in the cloud server. The decentralized nature of blockchains can provide nonrepudiation of data, accountability, and transparency. In addition, the timestamp recorded on the blockchain allows blockchain participants to know the transaction generation time [27]. In general, four types of blockchain platforms are defined: • Public permissionless blockchain: A public permissionless blockchain provides a 'low trust' environment where anyone can run nodes and participate in the network.
A public permissionless blockchain can be accessed by anyone, and any node can participate in the consensus protocol. Moreover, anyone can read the entire ledger of transactions. • Public permissioned blockchain: Public permissioned blockchains have rules that determine who can participate in the verification process and launch nodes. They are commonly used by public institutions such as government agencies, businesses, or educational institutions. Whitelisted nodes can participate in the consensus mechanism. Owners create validator nodes that define governance rules for the blockchain, including those who can create new nodes or write to the blockchain. However, read access can be used by anyone who makes the blockchain publicly accessible. • Private permissionless blockchain: A private permissionless blockchain has no restrictions on who can participate in the consensus mechanism. However, unlike public permissionless convex chains, there are restrictions on who can read and write content on the blockchain. • Private permissioned blockchain: These blockchains are controlled by a unique group of one or several owners who determine the participants in the consensus mechanism. Only selected user groups can read or write to these blockchains. If public verification of records is not required, consider private permissioned blockchains.
In this paper, only cloud servers and data users of smart cities can write to the blockchain. Therefore, in this paper, a public permission-type blockchain is adopted, and the consensus algorithm uses PBFT.

Access Structure
According to [6], we use the following access tree as an access structure. Assuming that T is an access tree, Assuming v is an internal node, v is the threshold gate denoted by AND and OR. AND and OR gates are defined as follows: when 0 < threshold v ≤ num v , it is an AND gate if threshold v = num v and an OR gate if threshold v = 1.
Moreover, in the case where v is a leaf node, it is described as the attributes threshold v = 1. To fit T with attribute set att(v), att(v) have to match the threshold gate at root node τ of T . Here, att(v) is defined only if v is a leaf node and represents an attribute related to leaf node v in the tree. In the first case, τ is an attribute and its key satisfies the access tree att(v). In the following case, if τ is a threshold gate whose child node is an attribute, the access tree is satisfied when att(v) holds the threshold gate of τ. In other cases, such as where τ is a threshold gate and the child nodes are also threshold gates, the method in the second case can be applied recursively to solve it.

Bilinear Pairing
Let G 1 and G 2 be recursive groups with large prime q, and let them be addition and multiplication groups, respectively. Then, a map that satisfies the following conditions can be applied to the bilinear map e : • Efficiency: For all P, Q ∈ G 1 , e(P, Q) are able to be computed in polynomial time. • Bilinearity: For all P, Q ∈ G 1 , and for all x, y ∈ Z * p , e(xP, yQ) is e(P, Q) xy . • Nondegeneracy: Existing P, Q ∈ G 1 , then e(P, Q) = 1 G 1 , where 1 G 1 is the identifying element of G 1 .

Decisional Bilinear Diffie-Hellman (DBDH) Assumption
Let G 1 be a group of order q; P be a generator of G 1 ; and a, b, c, z ∈ Z q be chosen randomly. The DBDH assumption [28] is that it is difficult for a probabilistic polynomial time adversary A to distinguish (P a , P b , P c , e(P, P) abc ) from (P a , P b , P c , e(P, P) z ). The advantage ε of A is defined as follows: If there is no A can decide whether e(P, P) z = e(P, P) abc , that is deciding whether z = abc or z ∈ Z q , with a non-negligible advantage, the DBDH assumption holds.

Adversary Model
We adopt the widely accepted "Dolev-Yao (DY) threat model" [29] for cryptographic analysis of protocol security. A malicious adversary could, according to the assumptions of the DY model, intercept messages sent over public channels. Attackers can also modify, insert, delete, or eavesdrop on hijacked messages.

•
An adversary takes full control of transmitted messages sent over an open wireless channel and learns from the messages. The attacker can then modify, remove, or insert a legitimate message. • In polynomial time, an adversary is able to only guess one value, because guessing more than one value at a time is "computationally infeasible", for example, guessing an ID and password at the same time. • An adversary can steal or obtain a valid smart card. The adversary can perform a power analysis attack [30,31] on a smart card to steal sensitive information stored on the smart card.
In addition, this paper adopts the assumption of the "CK adversary model" [32], which is a more powerful attack model considering the actual environment. The CK attack model is considered the de facto standard for modeling key exchange protocols. Therefore, in the CK model, for the session key agreed upon between the communicating parties to be secure, the key exchange protocol must minimize the impact of persistent (long-term) or temporary (short-term) secret leaks.

Proposed Data Access Control System for IoT Environments
In this section, we propose a method of access control for IoT data, which overcomes the limitations and security pitfalls of previous access control methods. In addition, the proposed protocol guarantees stronger security through authentication in the existing access control method.

Setup Phase
TA generates public parameters for use in the system's attribute-based encryption and blockchain. The following steps are followed: Step SP1: TA generates G 1 and G 2 in the same order q, where G 1 is an additive cyclic group and G 2 is a multiplicative cyclic group. Then, TA generates a bilinear map e : G 1 × G 1 . TA chooses the secret keys k TA and ζ in Z * q , and chooses P ∈ G 1 , where P is a generator. Moreover, TA chooses the hash functions h 1 : {0, 1} * → Z q and h 2 : {0, 1} * → G 1 .
Step SP2: TA computes the public key PK TA = k TA * P, a factor of an attribute key F = P k TA and a factor for decryption e(P, P) ζ . Then, TA publishes (G 1 , G 2 , q, e, P, PK TA , F, e(P, P) ζ , h 1 , h 2 ).

Registration Phase
For key agreement and authentication, GW, of the IoT environment, CS and DU have to register at TA. This phase runs through a secure channel.

Cloud Server Registration Phase
This phase is also executed over the secure channel: Step CSR1: A cloud server CS picks its identity ID cs and generates a random number c cs . CS computes PID cs = ID cs ⊕ c cs . Then, CS sends PID cs ,c cs to the trusted authority TA through a closed channel.
Step CSR2: After that, TA stores PID cs in a its secure database. TA computes R cs = h(k ta ||c cs ) as CS's private key. After that, TA sends R cs to CS over a secure channel.
Step CSR3: CS computes the public key PK cs = P * R cs .

Data User Registration Phase
When a new data user DU i registers with TA, the following steps are followed: Step UR1: DU i chooses unique identity and password DU ID i and DUPW i . DU i generates random nonces IU i and a i , where they are in Z * q . Then, DU i computes Step UR2: After TA receives the request message, TA computes TID i = (HDU ID i * k TA ) * PK TA and A i = TID i ⊕ (HDUPW i ⊕ a i ). TA stores HDU ID i with TID i in a its secure memory and stores A i in a smart card SC. Then, TA issues SC to DU i . At the same time, TA sends h 1 (TID i ), HDU ID i to CS via closed channels.
Step UR3: After receiving SC, DU i computes , and D i = r i ⊕ HDUPW i . Then, DU i stores Z i , B i , C i and D i into SC and computes a public key as PK i = r i * P.
Step UR4: After receiving message, CS computes MCS i = h 1 (HMID i ||R cs ) and stores MCS i in its secure database. CS also stores h 1 (TID i ) with HDU ID i .

Gateway Registration Phase
In this phase, the following steps are performed in the closed channel: Step GWR1: A gateway GW j chooses identity GID j and generates a random nonce b j . GW computes PGID j = GID j ⊕ b j . Then, GW generates a public key PK j = r j * P and sends PGID j to the trusted authority TA via closed channels.
Step GWR2: After that, TA computes TGID j = (h 1 (PGID j ) * k TA ) * PK TA and stores PGID j with TGID j in a its secure database. Then, TA sends TGID j to GW j over a secure channel. At the same time, TA sends h 1 (PGID j ), TGID j through secure channels.
Step GWR3: CS computes GCS j = h 1 (h 1 (PGID j ||R cs )) and stores GCS j in its secure database. CS also stores TGID j with h 1 (PGID j ).

Attribute Key Generation Phase
In this phase, the data user with attributes ATTRI i requests the attribute key from the TA and provides the corresponding key.
Step AKG1: DU chooses his/her attributes ATTRI i and sends it to TA to request the attribute key.
Step AKG2: After that, TA generates random nonces ra i , rb i ∈ Z * q . In addition, TA computes At i = F(ζ + ra i ) for all s ∈ ATTRI i , and also computes At i s = ra i P + rb i H(s) and At i s = rb i P. Then, TA computes attribute keys attr i = (At i , At i s , At i s ). Finally, TA sends attribute keys attr i to DU i .
Step AKG3: After receiving attribute keys, DU i uploads the transaction Tx i = (PK i , ATTRI i ) to the blockchain.

Authentication and Key Agreement Phase
For uploading the IoT data to the cloud server, GW j and CS authenticate each other. They authenticate each other to secure mutual trust, and later, by establishing the session key SK, GW j and CS can configure a secure communication channel. The detailed steps involved in this step are shown below and are summarized in Figure 2.
Ei  Step AK1: GW j generates a random number β i and timestamp T 1 , and computes , and TAUTH j = TGID j * MC jc . Then, GW sends a request message E i , F i , PK j , TAUHT j , T 1 to CS over an insecure channel.
Step AK2: After receiving the message, CS retrieves h 1 (PGID j ) using TGID j and CS checks e(TAUTH j , P) ? = e((h 1 (PGID j ) * M jc ) * PK TA , PK TA ). If they are the same, GW j is authenticated. After that, CS generates a n cs and timestamp T 2 . In addition, CS computes P cg = (n cs * R cs ) * P, V cg = (n cs * R cs ) * PK j , and CS also computes G i = V cg ⊕ n cs , SK = h 1 (n cs ||h 1 (h 1 (PGID j )||β i )) as a session key, and M cg = h 1 (h 1 (PGID j )||V cg ||T 2 ). Then, CS sends a response message P cg , G i , M cg , T 2 to GW j through public channels.
Step AK3: After that, GW j checks the validity of |T 2 − T 2 | < ∆T. If it is valid, GW j computes V cg = P cg * r j and n cs = G i ⊕ V cg . Then, GW j checks M cg ? = h 1 (h 1 (PGID j )||V cg ||T 2 ). If it holds, GW j considers CS as authentic and computes the session key shared with CS as SK = h 1 (n cs ||h 1 (h 1 (PGID j )||β i )).
Finally, GW j and CS complete mutual authentication to generate the same session key SK for IoT data upload.

Data Upload Phase
GW j uploads IoT data through the session key agreed with CS. At this time, GW j encrypts data through CP-ABE and uploads them to CS so that only DU i with appropriate attributes can access data sharing. In addition, GW j generates the signature value for data verification of DU i . CS stores encrypted data and uploads GW j 's signature value, public key, attribute tree, and stored server address value to the blockchain. Detailed steps related to this phase are provided below.
Step DU1: GW j chooses an access tree T and root of tree τ. Then, GW j generates a timestamp TS j and selects a random polynomial q τ (x) with degree d τ = v τ − 1. GW j generates a random number x j = q τ (0) for a leaf node x of T . Thereafter, GW j computes c j1 = DATA j * e(P, P) ζ x j , c j2 = PK TA * s j . For other leaf nodes le of T , GW j chooses a random point d le of polynomial q le (x). Then, GW j calculates C le = P * q n (0) and C le = h 2 (attr(le)) * q le (0) for all leaf nodes le of T . The ciphertext consists of δ j = (T , c j1 , c j2 , C le , C le ). GW j also computes the signature of data as follows. GW computes s j = h 1 (PGID j ||r j ||DATA j ), S j = s j * P, and Sig j = s j + h 1 (PK j ||δ j ) * r j as the signature. Finally, GW j sends (S j , Sig j , δ j , TS j ) SK , h 1 (PK j ||δ j ||TS j ) to CS through a open channel.
Step DU2: After that, CS decrypts (Sig j , δ j , TS j ) using the session key and checks h 1 (PK j ||δ j ||TS j ). If these values are equal, CS stores δ j in its database and sets ADDR j to the record address. At the end, CS uploads the transaction Tx j = (S j , Sig j , PK j , T , h 1 (δ j ||PK j ), ADDR j ) to the blockchain.

Data Request and Provide Phase
Step DRP1: DU i inserts the smartcard SC and inputs DU ID i and DUPW i . Then, SC If it is valid, DU i generates random nonce r du and timestamp TS i , and computes After that, DU i obtains the transaction (Sig j , PK j , T , h 1 (δ j ||PK j ), ADDR j ). DU i computes M 1 = (PK i ||ADDR j ||r du ||TS i ) + r i * PK cs and sends the data request message h 1 (TID i ) AID i , PK i , TS i , M 1 .
Step DRP2: After receiving the message, CS retrieves HDU ID i using h 1 (TID i ) and verifies h 1 (HDU ID i ||R cs ) ? = MCS i . If it holds, CS computes AUTH i = PK i * R cs and . Then, CS checks e(AID i , P) ? = e((HDU ID i * MC ic ) * PK TA ), PK TA ). If this equality holds, CS obtains (PK i , ATTRI i ) from the blockchain. Then, CS computes (PK i ||ADDR j ||r du ||TS i ) = M 1 − R cs * PK i and confirms that ATTRI i satisfies tree of δ j . If it is met, CS calculates M 2 = (δ j ||T cs ) + R cs * PK i . Then, CS sends the message M 2 AID i , TS cs .
Then, DU i checks h 1 (δ j ||PK j ) * ? = h 1 (δ j ||PK j ) acquired on the blockchain. Depending on the type of root node, data decryption proceeds as follows.
• Case 1: If τ is a leaf node, DU i calculates e(A t i , C le ) and e(A t i , C le ) . Then, DU i computes At i s , C le and At i s , C le . Then, DU i computes e(At i s , C le ) e(At i s , C le ) = e(P, P) ra i q τ (0) = K for data decryption. Thereafter, DU i can decrypt as follows: c j1 e(c j2 , At i )/K = DATA j * e(P, P) ζx i e(x i PK TA , F(ζ + r ai ))/K = DATA j * e(P, P) ζx i e(P, P) x i (ζ+r ai ) /K = DATA j • Case 2: We assume that root node τ is a threshold gate and child nodes are attributes. Before we describe the decryption computation, we define the symbols c τ and ∆ ind(le),c τ (x). c τ is a set of child nodes of the root node, and ∆ ind(le),c τ (x) is = e(P, P) ra i q τ (0) = K Then, DU i can decrypt the IoT data.

Data Validation Phase
If the data users want to verify that the gateway information is correct, data verification can be performed during this phase. This data validation ensures that the gateway is accountable for its own data and that the data user can obtain the reliability of the data. A detailed description of this phase is provided bellow: Step DVP: DU i obtains S j , Sig j , PK j , and h 1 (δ j ||PK j ) from the transaction related to the data. DU i computes Sig j * P = s j * P + h 1 (PK j ||δ j ) * r j * P = S j + h 1 (PK j ||δ j ) * PK j . Then, DU i checks S j = Sig j − h 1 (PK j ||δ j ) * PK j . If it is valid, DU i can be considered as data validation completed.

Block Formation and Addition Phase
In the key generation phase and data upload phase, DU i and CS create a transaction and upload it to the blockchain. We describe it in detail in terms of CS in this section, and the block construction and addition of DU i is similar. The "practical Byzantine fault tolerance (PBFT) consensus algorithm" [26] has been applied for adding blocks to existing blockchains, verifying blocks, and voting-based consensus algorithms. The block structure is depicted in Figure 3, and the entire algorithm of block addition is given in Algorithm 1.   Figure 3, transactions pool (Tx p ol), transactions threshold (Tx thresh=t , number of CS nodes : n cs , minimal approval (Min approve = 2 * (n cs − 1)/3 + 1) 2: Output: Commitment for block addition (CMP) 3: Assume that a cloud server node (CS l ) is elected as a leader 4: CS l picks a fresh timestamp and creates a block Block m with Tx pool 5: CS l sets CMP = NULL and sends Block m to follower cloud server nodes (CS k (k = l|k = 1, 2, . . . , n cs )) for voting request 6: for each follower CS j do 7: if ((Tx j = valid) and (MR = valid) and (ECDSA.sig Tx = valid) and (CBHash = valid)) then 8: Set CMP = CMP + 1 9: end if 10: end for 11: if (CMP ≥ Min approve ) then 12: Add Block m to the blockchain 13: Broadcast commitment message to CS 14: end if

Block Formation Phase
At the data upload phase of our system, the data generated by GW j are uploaded to CS using SK agreed between GW j and CS at the authentication and key agreement phase. CS safely gathers t counts of data, filters that information, and then generates t counts of transactions Tx j = (S j , Sig j , PK j , T , h 1 (δ j ||PK j ), ADDR j ), for j = 1, 2, ..., t, to contribute to the transactions pool. To describe this in detail in terms of the data upload phase, CS computes the Merkle tree root (MR) for transactions Tx j and calculates "elliptic curve digital signature" for transactions Tx j as ECDSA.sig Tx = ECDSA.sig gen (Tx msg ), where Tx msg = h 1 (Tx 1 ||Tx 2 ||...||Tx j ||PK cs ||MR).

Block Addition Phase
After block formation phase, the MR for the transaction existing in the block is verified. In addition, CS conducts a voting-based PBFT consensus algorithm. The CS nodes CS l |l = 1, 2, ..., n cs (n cs represent the number of peers in CS) form a distributed P2P network. Here, each CS node is considered a peer node that is responsible for adding blocks. After the CS peer node receives the Block m , peer node verifies it with the existing transaction pool. When all transactions in Block m are confirmed by the transaction pool, the peer puts a valid vote into the commit message pool. CS constantly checks the commit message pool and checks when the minimum approval (Min approve ) for block additions on the blockchain is reached; where Min approve = 2 * (n cs − 1)/3 + 1, the new block Block m will be added to the blockchain.

Formal Security Validation: AVISPA Simulation Study and IND-CPA
In this section, we utilize the "AVISPA simulation tool" [10] and IND-CPA to verify the security of the proposed system.

AVISPA Simulation
We use the "AVISPA Simulation Tool" [10] in this section to validate our proposed system security against man-in-the-middle and replay attacks.
In AVISPA, there are four backends: "tree automata based on automatic approximations for analysis of security protocols (TA4SP)", the "SAT-based model checker (SATMC)", the "on-the-fly-mode-checker (OFMC)" and the "constraint-logic-based attack Searcher" (CL-AtSe)". Among these, the SATMC and TA4SP backends can not aid the "bitwise exclusive OR (XOR)". However, since our system has an XOR operation, two backends are not suitable for analysis. Therefore, we adopt two backends, OFMC and CL-AtSe, which support XOR operation, and use them for analysis. In the proposed system, "High-Level Protocol Specification Language (HLPSL)", a language supported by AVISPA, is used to implement the basic roles of CS and GW j . Figure 4 shows the HLPSL implementation of the role user.
At transition 1, GW sends the request message {PGID j } to TA using SND operation and SKgwta, which means the secure channel. The declaration secret({Bj , Rj}, sp3, {GW}) means that the random nonce B j and secret key R j are only known to GW.
At transition 2, GW receives the TGID j from TA. In login and authentication phase, GW sends the message {E i , F i , TGID j , PK j , TAUTH j , T 1 } to CS through insecure channel. The declaration witness(GW, CS, gw_cs_bei, Bei ) means that GW generates a random nonce β i for CS.
At transition 3, GW receives the message {P cg , G i , M cg , T 2 } from CS. The declaration request(CS, GW, cs_gw_ncs, Ncs ) specifies that CS request to the GW for checking the value of n cs .
HLPSL of cloud server is implemented similarly to gateway's HLPSL. In addition, it implements "composite roles and goals for sessions and environment" of the proposed system through HLPSL. AVISPA used in this section is a security validation simulation based on the DY model [30]. Figure 5 gives the analysis results performed on the CL-ATse and OFMC backends. The figure clearly shows that the proposed system can be resistant to "replay and man-in-the-middle attacks".

IND-CPA Security
We prove the confidentiality property of our system with the game of IND-CPA. In our scheme, the game is defined as follows.

•
Init. The adversary A gives a challenge access structure T * . • Setup. The simulator X executes Setup phase and sends the public parameters to the adversary A.
• Phase 1. A queries multiple private keys corresponding to q 1 different sets of attributes (ATTRI 1 , ..., ATTRI q 1 ) where ATTRI i / ∈ T * . • Challenge. A submits two plaintext DATA 0 and DATA 1 , where |DATA 0 | = |DATA 1 | to the simulator X with T * . X flips the coin b ∈ {0, 1}, encrypts DATA b under T * , and sends the ciphertext CT * to A. • Phase 2. A repeats Phase 1 with the attribute sets (ATTRI q 1 +1 , ..., ATTRI q ) where ATTRI i / ∈ T * . • Guess. A outputs a guess b of b to the simulator X . If b = b, A wins the game.
The adversary A's advantage ε in this game is defined as ε = |Pr[b = b] − 1 2 |. If A in probabilistic polynomial time can be played with a non-negligible advantage ε, then we prove that the problem of the DBDH assumption can be solved with ε/2.
Proof. Assume that the adversary A wants to take advantage of ε to subvert the system. We build a X simulator to play the DBDH game with a ε/2 advantage. We proceed through the simulation process as follows. The B challenger randomly picks a, b, c, z ∈ Z q and generator P ∈ G 1 . B flips a coin to obtain a random value µ ∈ {0, 1}. If µ = 1, Z = e(P, P) z , which means (P a , P b , P c , e(P, P) z ). Otherwise, Z = e(P, P) abc means (P a , P b , P c , e(P, P) abc ). After that, B transmits the results to X .
Init. The simulator X runs A to create access structure T * that A hopes to attack. Then, A transmits it to X .
Setup. X computes public parameters {PK TA = k TA * P, F = P k TA , e(P, P) ζ }, where ζ = ab. Then, X sends them to A. Phase 1. A requests multiple private keys (attr i1 , ..., attr iq 1 ) corresponding to q 1 different sets of attributes (ATTRI 1 , ..., ATTRI q 1 ) where ATTRI i / ∈ T * . The simulator X generates random nonces ra i , rb i ∈ Z * q . X computes At i = F(ζ + ra i ) for all s ∈ ATTRI i , AT i s = ra i P + rb i H(s), At i s = rb i P, attr i = (At i , At i s , At i s ). Then, X sends attr i to A.
Challenge. A submits T * to the X simulator with plain text DATA 0 and DATA 1 of equal length. X randomly tosses a coin to obtain b ∈ {0, 1}. If µ = 0, then Z = e(P, P) abc . In this case, we let x j = c, then e(P, P) abc = e(P, P) ζx j and c j1 = DATA b * e(P, P) abc . Otherwise, if µ = 1, then Z = e(P, P) z and c j1 = DATA b * e(P, P) z . X computes c j2 = PK TA * s j . Then, X chooses a random point d l e of polynomial q le (x) and computes C le = P * q n (0), C le = h 2 (attr(le)) * q le (0) for all leaf nodes le of T . Then, X sends δ j = (c j1 , c j2 , C le , C le ) to A. Phase 2. The adversary A repeats Phase 1 to obtain the private keys that are associated with attribute sets ∀ATTRI i | q 1 +1≤i≤q and ATTRI i / ∈ T * . Guess. A guesses b of b. If b = b , X gives a result 1, otherwise, it gives a result 0. If X gives a result 0, then Z = e(P, P) abc . A can obtain practical ciphertext δ j . The advantage in this case is ε, so we obtain Pr[b = b|Z = e(P, P) abc ] = 1 2 + ε. When X gives a result 0, it means Z = e(P, P) z . A obtains the wrong ciphertext, and does not have the advantage of guessing the correct b , so it is able to obtain Pr[b = b|Z = e(P, P) z ] = 1 2 . Therefore, the probability Pr of a successful game is Pr[A(P, P a , P b , P c , e(P, P) abc ) = 1] Pr[A(P, P a , P b , P c , e(P, P) z ) = 1] − 1 2 Therefore, our scheme ensures IND-CPA security.

Informal Security Analysis
We provide an nonmathematical (informal) security analysis of whether the proposed system can provide various security features and safety against possible attacks.

Guessing Attacks
The malicious adversary A cannot guess the data user's DU ID i and DUPW i in the proposed system. A obtains the credentials {Z i , B i , C i , D i } stored on the smart card. However, since {Z i , B i , C i } is encrypted with random numbers IU i and a i , A cannot obtain sensitive information. Furthermore, these values are protected via "a one-way collision-free hash function h(·)". In addition, D i is masked by the unknown parameter HDUPW i and secret key r i . As a result, our proposed system can resist guessing attacks.

Tracing Attacks and Provides Anonymity
The adversary A is trying to obtain the real IDs of DU i and GW j to perform a tracking attack. In our system, the user's real identity DU ID i is hidden by HDU ID i masked with a random number IU i . In addition, the DU i sends the message through the public channel using the temporary ID TID i received from TA via an insecure channel. Moreover, GW j hides its real ID GID j as PGID j . GW j sends a message through the public channel with the temporary ID TGID j obtained from TA. So, A cannot know original IDs DU ID i and GID j . This demonstrates that our system provides anonymity and can resist tracing attacks.

Impersonation Attacks
A may attempt to impersonate each entity by calculating legitimate messages to obtain information. In our system, messages sent over public channels are encrypted using random numbers β i , n cs , x i , and r du and secret values r j and R cs . Moreover, in the data upload phase, the message is encrypted by the session key SK. A tries to take out these values, but this cannot be carried out. In addition, each of the entities check e(TAUTH j , P) , and e(AID i , P) ? = e((HMID i * MC ic ) * PK TA ), PK TA ). Therefore, the proposed system can provide protection against impersonation attacks.

Ephemeral Secret Leakage Attacks
In the authentication and key agreement phase, GW j and CS establish the session key SK = h 1 (n cs ||h 1 (h 1 (PGID j )||β i )) = h 1 (n cs ||h 1 (h 1 (GID j ⊕ b j )||β i )) in our system. The SK depends on "ephemeral secrets n cs and β i " and long-term secret b j . Even if the attacker "short-term secret n cs and β i " is compromised for A, guessing SK without long-term secret b j is "a computationally difficult problem." Likewise, even if "long-term secret b j " is compromised to A, deriving SK is also "computationally difficult. except for short-term secrets. Since SK between the gateway and the cloud server is distinct and unique, leaking SK from a session to A is "computationally infeasible" as it applies both short-term and long-term secrets without having to compute another session key in another session. Therefore, the proposed system prevents ephemeral secret leakage attacks.

Mutual Authentication and Key Agreement
At our system, GW and CS use the TAUTH j and M cg values to authenticate each other by verifying the message. Every transmitted message is changed with a random number and current timestamps. GW and CS authenticate each other through an authentication and key agreement phase and compute the same session key SK only if the authentication is complete. Therefore, our system provides key agreement through mutual authentication.

Data Access Control, Validation and Accountability
The proposed system can provide access control to IoT data of GW j . GW j establishes an access tree for IoT data and uses it to encrypt data and upload them to CS. Then, only DU i with the appropriate set of attributes in the IoT data's access tree is able to request data from CS and decrypt them with the attribute key. In addition, GW j uploads the signature value of its own data to the transaction on the blockchain. DU i can confirm that the data are uploaded by GW j through the signature value of the transaction, which means that GW j guarantees accountability for its own data when uploading. Thus, the system can provide data access control, validation, and accountability.

Efficiency Features And Security Analysis
The proposed system is compared with existing competitive data access control systems in the smart city area, such as smart health and smart homes [18,24]. The compared schemes are all schemes using attribute-based encryption. We compare different data access control schemes with each other in terms of communication and communication costs, function, and security features.

Testbed Experiment Using MIRACL
In this section, we apply MIRACL to show an an environment for practical perspective experiments. The MIRACL testbed experiment shows the computation costs of the proposed system. We performed a testbed experiment with cryptographic primitives using the popular "MIRACL" [11] in a laptop environment. Here are the detailed performance details of the laptops we used: "Ubuntu 18.04.4 LTS with memory 8 GiB, processor: Intel Core i7-4790 @ 3.60 GHz × 4, CPU Architecture: 64-bit". The experiments were run 100 times to determine the time to run "bilinear pairing operation (T pair )", "ECC signature operation (T sig ), "ECC scalar point multiplication (T mul )", "ECC point addition (T add )", "modular exponentiation operation (T exp )", "map-to-point-hash-function (T mtp )", "encryption function (T enc )", "decryption function (T dec )", and "one-way-hash-function (T h )". Thereafter, the average execution time in milliseconds for these functions or operations over 100 run was recorded: 6.587 ms, 0.546 ms, 2.547 ms, 0.013 ms, 0.164 ms, 7.564 ms, 0.001 ms, 0.001 ms, and 0.003 ms, respectively.

Security and Function Feature Comparison
This section presents the results of comparison of the proposed system with related existing approaches in terms of security and functionality. Table 2 presents the results of the comparison. Previous studies do not provide data accountability, nor do they provide the functions of mutual authentication and key agreement, whereas the proposed method meets all essential security and functional requirements for data access control in a smart city environment. Table 2. Security and function properties comparison (Author's own processing).

Security and Function Properties
Lu et al. [18] Qin et al. [24] Proposed o: provide the security property x: does not provide the security property -: does not consider SF 1 : Guessing attack SF 2 : Anonymity and tracing attacks SF 3 : Replay and man-inthe-middle attacks SF 4 : Impersonation attack SF 5 : ESL attack SF 6 : Session key disclosure attack SF 7 : Mutual authentication and key agreement SF 8 : Data validation SF 9 : Data accountability.

Computation Cost Comparison Analysis
Computational costs are compared, taking into account the data upload and data request and provide phases, and follow the testbed experiment results reported in Section 7.1.
We use the average time required on the platform for the data owner/gateway/IoT device, cloud server, and data user costs, respectively. Table 3 shows the comparison results of the computation costs. In Table 3, n means the number of attributes. We assumed that n is 5 to obtain the total computation costs. It can be observed that the total computational costs of our system are slightly higher than those of the other systems. The proposed system uses traditional CP-ABE, which has proven safety rather than efficiency. Moreover, as shown in Table 2, the proposed system can provide mutual authentication, key agreement, and data accountability that other systems cannot provide, and it is safe against attacks from various security aspects. Table 3. Computation costs comparison (Author's own processing).

Communication Cost Comparison Analysis
For comparison analysis of the communication costs during the data upload and data request and provide phases between the proposed system and other systems, the l column matrix, encryption data, hash function output value (using SHA-256), public key, identity, ECC value, chain code, index, and timestamp are taken as 32l bits, 256 bits, 256 bits, 256 bits, 160 bits, 256 bits, 256 bits, 256 bits, and 32 bits, respectively. Table 4 indicates that our system requires communication costs of 2112 bits to exchange three messages for data upload and data download. On the other hand, the schemes of Lu et al. [18] and Qin et al. [24] require communication costs of 32l+ 1952 bits for three messages and 2208 bits for three messages.

Conclusions
In this paper, we proposed an access control system for IoT data in various IoT environments based on CP-ABE and blockchains. Existing systems do not provide mutual authentication and key agreement for secure communication. However, the proposed system guarantees secure communication through these two properties. In addition, the proposed system can provide data validation and accountability to data users. To verify the safety of our system, formal and unofficial security analysis was performed, and the proposed system was compared and analyzed with existing systems in terms of security and functionality. Through the analysis results, it was found that the proposed system is safe against guessing, tracing, ESL, and session key disclosure attacks, unlike existing systems. In addition, our protocol can be said to be an efficient protocol because it has a computation cost similar to or lower than that of existing systems and a lower communication cost than existing systems.
In the future, we plan to design a more efficient access control system. In this paper, we used the traditional CP-ABE, but we need to design an efficient ABE for a more efficient system design. In traditional CP-ABE, when the number of users or the number of attributes increase, the number of pairing operations increases. This will increase the computational cost of the system, which will make it impossible to provide real-time services to users in the IoT environment. In order to solve this problem, there is a need to study a new method of access control in the future. If we develop an efficient access control method even if the number of users and attributes increases, we will be able to design an access control system that is more suitable for the IoT environment.